hm, it would be wise to do check what is output of iptables-save before applying this because with -A INPUT rules are appended at the end of input chain which leaves the possibility of ACCEPT rule allowing the traffic earlier on in the chain, so rather -I INPUT than -A INPUT in my opinion...
– Hrvoje ŠpoljarFeb 24 '11 at 23:30

you could also use module ipset ( http://ipset.netfilter.org/ ). When list of ip addresses gets long, matching them one by one with individual iptables rules will lead to degraded performance. Ipset should perform much better. Also, with ipset you can reload addresses at any time without touching your rules.

Even if you dont want to bother with ipset, it is better to drop banned addresses in iptables "raw" table. This way, connection tracking framework will not see them and won't create state records you'll never need. This should also improve performance in case the firewall has to handle lots of traffic.